ci: add a new wolfi-exp runtype and build/push a wolfi image (#46720)

Co-authored-by: Will Dollman <will.dollman@sourcegraph.com>

dev/ci/runtype/runtype.go

@@ -15,6 +15,7 @@ const (
 
 	PullRequest    RunType = iota // pull request build
 	BazelExpBranch                // branch that runs specific bazel steps
+	WolfiExpBranch                // branch that only builds wolfi images
 
 	// Nightly builds - must be first because they take precedence
 
@@ -142,6 +143,10 @@ func (t RunType) Matcher() *RunTypeMatcher {
 		return &RunTypeMatcher{
 			Branch: "bzl/",
 		}
+	case WolfiExpBranch:
+		return &RunTypeMatcher{
+			Branch: "wolfi/",
+		}
 	case ImagePatch:
 		return &RunTypeMatcher{
 			Branch:                 "docker-images-patch/",
@@ -176,6 +181,8 @@ func (t RunType) String() string {
 		return "Pull request"
 	case BazelExpBranch:
 		return "Bazel Exp Branch"
+	case WolfiExpBranch:
+		return "Wolfi Exp Branch"
 	case ReleaseNightly:
 		return "Release branch nightly healthcheck build"
 	case BextNightly:

doc/dev/background-information/ci/reference.md

@@ -98,6 +98,21 @@ Base pipeline (more steps might be included based on branch changes):
 - Build //dev/sg
 - Upload build trace
 
+### Wolfi Exp Branch
+
+The run type for branches matching `wolfi/`.
+You can create a build of this run type for your changes using:
+
+```sh
+sg ci build wolfi
+```
+
+Base pipeline (more steps might be included based on branch changes):
+
+- **Metadata**: Pipeline metadata
+- Build stuff foobar
+- Upload build trace
+
 ### Release branch nightly healthcheck build
 
 The run type for environment including `{"RELEASE_NIGHTLY":"true"}`.

doc/dev/background-information/sg/reference.md

@@ -241,6 +241,7 @@ This command is useful when:
 Supported run types when providing an argument for 'sg ci build [runtype]':
 
 * bzl
+* wolfi
 * main-dry-run
 * docker-images-patch
 * docker-images-patch-notest

enterprise/dev/ci/internal/ci/pipeline.go

@@ -91,6 +91,8 @@ func GeneratePipeline(c Config) (*bk.Pipeline, error) {
 	switch c.RunType {
 	case runtype.BazelExpBranch:
 		ops.Merge(BazelOperations())
+	case runtype.WolfiExpBranch:
+		ops.Merge(WolfiOperations())
 	case runtype.PullRequest:
 		// First, we set up core test operations that apply both to PRs and to other run
 		// types such as main.

enterprise/dev/ci/internal/ci/wolfi_operations.go

@@ -0,0 +1,24 @@
+package ci
+
+import (
+	"fmt"
+
+	bk "github.com/sourcegraph/sourcegraph/enterprise/dev/ci/internal/buildkite"
+	"github.com/sourcegraph/sourcegraph/enterprise/dev/ci/internal/ci/operations"
+)
+
+func WolfiOperations() *operations.Set {
+	ops := operations.NewSet()
+	ops.Append(buildWolfi("foobar"))
+	return ops
+}
+
+func buildWolfi(target string) func(*bk.Pipeline) {
+	return func(pipeline *bk.Pipeline) {
+		pipeline.AddStep(fmt.Sprintf(":wolf: Build stuff %s", target),
+			bk.Cmd(fmt.Sprintf("./enterprise/dev/ci/scripts/wolfi/build.sh %s", target)),
+			// We want to run on the bazel queue, so we have a pretty minimal agent.
+			bk.Agent("queue", "bazel"),
+		)
+	}
+}

enterprise/dev/ci/scripts/wolfi/build.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+cd "$(dirname "${BASH_SOURCE[0]}")/../../../../.."
+
+set -euf -o pipefail
+tmpdir=$(mktemp -d -t wolfi-bin.XXXXXXXX)
+function cleanup() {
+  echo "Removing $tmpdir"
+  rm -rf "$tmpdir"
+}
+trap cleanup EXIT
+
+(
+  cd "$tmpdir"
+  mkdir bin
+
+  # Install apko
+  wget https://github.com/chainguard-dev/apko/releases/download/v0.6.0/apko_0.6.0_linux_amd64.tar.gz
+  tar zxf apko_0.6.0_linux_amd64.tar.gz
+  mv apko_0.6.0_linux_amd64/apko bin/apko
+
+  # Install apk
+  wget https://gitlab.alpinelinux.org/alpine/apk-tools/-/package_files/62/download -O bin/apk
+  chmod +x bin/apk
+)
+
+export PATH="$tmpdir/bin:$PATH"
+
+name=${1%/}
+
+if [ ! -d "wolfi-images/${name}" ]; then
+  echo "Directory '$name' does not exist"
+  exit 1
+fi
+
+if [ ! -f "wolfi-images/${name}/apko.yaml" ]; then
+  echo "File '$name/apko.yaml' does not exist"
+  exit 1
+fi
+
+cd "wolfi-images/${name}"
+
+echo " * Building apko base image '$name'"
+image_name="sourcegraph-wolfi/${name}-base"
+tarball="sourcegraph-wolfi-${name}-base.tar"
+apko build --debug apko.yaml \
+  "$image_name:latest" \
+  "$tarball" ||
+  (echo "*** Build failed ***" && exit 1)
+
+docker load <"$tarball"
+docker tag "$image_name" "us.gcr.io/sourcegraph-dev/wolfi-${name}:latest"
+docker push "us.gcr.io/sourcegraph-dev/wolfi-${name}:latest"

wolfi-images/foobar/apko.yaml

@@ -0,0 +1,35 @@
+contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
+  packages:
+    ## Base set of packages included in sourcegraph/alpine base image
+    - wolfi-baselayout
+    - ca-certificates-bundle
+    - tzdata
+    - tini
+    - mailcap
+    # Dev tools - may not be required in production
+    - busybox
+    - curl
+    - wget
+
+accounts:
+  groups:
+    - groupname: sourcegraph
+      gid: 101
+  users:
+    - username: sourcegraph
+      uid: 100
+      gid: 101
+
+# NOTE: This is ignored (see build output)
+# To force amd64, first run `docker pull --platform linux/arm64 cgr.dev/chainguard/apko`
+archs:
+ - amd64
+
+annotations:
+  org.opencontainers.image.url: https://sourcegraph.com/
+  org.opencontainers.image.source: https://github.com/sourcegraph/sourcegraph/
+  org.opencontainers.image.documentation: https://docs.sourcegraph.com/